Re: Primary domain's status in winbindd child process is notconsistent with the parent winbindd process. - Samba

This is a discussion on Re: Primary domain's status in winbindd child process is notconsistent with the parent winbindd process. - Samba ; >>> Jeremy Allison 06/03/08 8:25 AM >>> On Mon, Jun 02, 2008 at 01:54:55PM -0700, Jeremy Allison wrote: > On Mon, Jun 02, 2008 at 02:15:15AM -0600, Bo Yang wrote: > > Hi, All: > > > > Assume winbindd ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: Primary domain's status in winbindd child process is notconsistent with the parent winbindd process.

  1. Re: Primary domain's status in winbindd child process is notconsistent with the parent winbindd process.

    >>> Jeremy Allison 06/03/08 8:25 AM >>>
    On Mon, Jun 02, 2008 at 01:54:55PM -0700, Jeremy Allison wrote:
    > On Mon, Jun 02, 2008 at 02:15:15AM -0600, Bo Yang wrote:
    > > Hi, All:
    > >
    > > Assume winbindd parent process is Pp, and domain A(primary domain) trusts domain B, child process for domain A and B is Pa and Pb respectively..
    > >
    > > cached logon is enabled and kerberos login is disabled.
    > >
    > > Pa, Pb will both be forked, and the primary domain's status in the two process is initialized and offline.
    > >
    > > Some time later, Domain A(primary domain) and domain B both go online. Thus the status of primary domain is updated in Pp and Pa, but not in Pb.
    > > So the status of primary domain in Pb is still offline and initialized. But domain B's status is online. And when PAM_AUTH request arrived, cached logon is not performed because domain B is online, Samlogon is performed. And Pb tries to connect to DC of primary domain(domain A) for pass through authentication. But domain A's status in Pb is always offline and initialized(never being updated), thus PAM_AUTH will always returns DOMAIN_CONTROLLER_NOT_FOUND error............
    > >
    > > We should keep track of the status of primary domain in child winbindd process, I think.
    > >
    > > Patch for 3-0-test and v3-2-test in the attachment.
    > >
    > > Please review it.

    >
    > Ok, I'm trying to review and follow the logic.
    >
    > There's a question I have however.
    >
    > The pam auth request comes in for the use B\fred,
    > ie. user fred in the trusted domain. So the
    > auth request gets passed down to Pb. But domain
    > B is online - when does Pb need to contact domain
    > controller for domain A.
    >
    > Give me a better description of the usage scenario
    > please.


    Ok, I looked very closely at the code. I don't think
    this patch is correct for 3.0.x. I can't see any case
    where Pb contacts Domain A in 3.0.x.

    It will. function call stack is showed below:

    winbindd_dual_pam_auth() ----> winbindd_dual_pam_auth_samlogon() [because domain B(Pb, trusted domain) is online] ---->

    because we are domain member, not DC, contact_domain = find_our_domain();and then result = cm_connect_netlogon(contact_domain, &netlogon_pipe);

    ie, cm_connect_netlogon() is called to contact the primary domain(domain A) ------> init_dc_connection(), here is the problem. If the status of primary domain is not
    updated in Pb, the status is always initialized and offline. Please have a look at

    if (domain->initialized && !domain->online) {
    /* We check for online status elsewhere. */
    return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
    }
    in init_dc_connection(), which always returns NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND.

    Please keep in touch if there is anything I was wrong or I didn't explain clearly.


    Thanks!



    In 3.2 however I think you're correct. The function
    set_dc_type_and_flags_trustinfo() does cause Pb to
    attempt to contact Domain A, so the fix is good there.

    I'll commit it in the 3.2 and 3.3 branches (with
    added comments) - thanks a *lot* for catching this.
    Good work !

    Jeremy.


  2. Re: Primary domain's status in winbindd child process is notconsistent with the parent winbindd process.

    On Mon, Jun 02, 2008 at 09:20:55PM -0600, Bo Yang wrote:
    >
    > It will. function call stack is showed below:
    >
    > winbindd_dual_pam_auth() ----> winbindd_dual_pam_auth_samlogon() [because domain B(Pb, trusted domain) is online] ---->
    >
    > because we are domain member, not DC, contact_domain = find_our_domain(); and then result = cm_connect_netlogon(contact_domain, &netlogon_pipe);
    >
    > ie, cm_connect_netlogon() is called to contact the primary domain(domain A) ------> init_dc_connection(), here is the problem. If the status of primary domain is not
    > updated in Pb, the status is always initialized and offline. Please have a look at
    >
    > if (domain->initialized && !domain->online) {
    > /* We check for online status elsewhere. */
    > return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
    > }
    > in init_dc_connection(), which always returns NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND.
    >
    > Please keep in touch if there is anything I was wrong or I didn't explain clearly.


    Ok, that makes perfect sense - thanks for the explaination.

    Jeremy.


+ Reply to Thread